Database and Application Security: A Practitioner’s Guide

Cover Page
Title Page
Contents
Table of Contents
Preface
Introduction
   Who Should Read This Book?
   How This Book Is Organized
Part I: Security Fundamentals
   Chapter 1. The Basics of Cybersecurity
      Cybersecurity
      CIA-DAD
      I-A-A-A
      Defense in Depth
      Hardware and Software Security
      Firewalls, Access Controls, and Access Control Lists
      Physical Security
      Practical Example of a Server Security in an Organization
      Summary
      Chapter 1 Questions
      Answers to Chapter 1 Questions
   Chapter 2. Security Details
      The Four Attributes: Encrypt, Compress, Index, and Archive
      Encryption, Algorithms
      Public Key Infrastructure
      Email Security Example
      Non-Repudiation, Authentication Methods (K-H-A)
      Current and New Algorithms
      Summary
      Chapter 2 Questions
      Answers to Chapter 2 Questions
   Chapter 3. Goals of Security
      Goals of Security—SMART/OKR
      Who’s Who in Security: RACI
      Creating the RACI Matrix
      Planning—Strategic, Tactical, and Operational
      Events and Incidents
      Risks, Breaches, Fixes
      Security Logs—The More the Merrier
      Re/Engineering a Project
      Keeping Security Up to Date
      Summary
      Chapter 3 Questions
      Answers to Chapter 3 Questions
Part II: Database Security--The Back End
   Chapter 4. Database Security Introduction
      ACID, BASE of DB, and CIA Compliance
      ACID, BASE and CIA
      Data in Transit, Data at Rest
      DDL and DML
      Designing a Secure Database
      Structural Security
      Functional Security
      Data Security
      Procedural Security
      Summary
      Chapter 4 Questions
      Answers to Chapter 4 Questions
   Chapter 5. Access Control of Data
      Access Control—Roles for Individuals and Applications
      MAC, DAC, RBAC, RuBAC
      Passwords, Logins, and Maintenance
      Hashing and Checksum Methods
      Locking, Unlocking, Resetting
      Monitoring User Accounts, System Account
      Data Protection—Views and Materialized Views
      PII Security—Data, Metadata, and Surrogates
      Summary
      Chapter 5 Questions
      Answers to Chapter 5 Questions
   Chapter 6. Data Refresh, Backup, and Restore
      Data Refresh—Manual, ETL, and Script
      ETL Jobs
      Security in Invoking ETL Job
      Data Pump: Exporting and Importing
      Backup and Restore
      Keeping Track—Daily, Weekly, Monthly
      Summary
      Chapter 6 Questions
      Answers to Chapter 6 Questions
   Chapter 7. Host Security
      Server Connections and Separation
      IP Selection, Proxy, Invited Nodes
      Access Control Lists
      Connecting to a System/DB: Passwords, Smart Cards, Certificates
      Cron Jobs or Task Scheduler
      Regular Monitoring and Troubleshooting
      Summary
      Chapter 7 Questions
      Answers to Chapter 7 Questions
   Chapter 8. Proactive Monitoring
      Logs, Logs, and More Logs
      Data Manipulation Monitoring
      Data Structure Monitoring
      Third-Party or Internal Audits
      LOG File Generation
      Summary
      Chapter 8 Questions
      LAB Work
      Answers to Chapter 8 Questions
   Chapter 9. Risk, Monitoring, and Encryption
      Security Terms
      Risk, Mitigation, Transfer, Avoidance, and Ignoring
      Organized Database Monitoring
      Encrypting the DB: Algorithm Choices
      Automated Alerts
      Summary
      Chapter 9 Questions
      Answers to Chapter 9 Questions
Part III: Application Security--The Front End
   Chapter 10. Application Security Fundamentals
      Coding Standards
      The Software Development Process
      Models and Selection
      Cohesion and Coupling
      Development, Test, and Production
      Client and Server
      Side Effects of a Bad Security in Software
      Fixing the SQL Injection Attacks
      Evaluate User Input
      Do Back-End Database Checks
      Change Management—Speaking the Same Language
      Secure Logging In to Applications, Access to Users
      Summary
      Chapter 10 Questions
      Answer to Chapter 10 Questions
   Chapter 11. The Unseen Back End
      Back-End DB Connections in Java/Tomcat
      Connection Strings and Passwords in Code
      Stored Procedures and Functions
      File Encryption, Types, and Association
      Implementing Public Key Infrastructure and Smart Card
      Examples of Key Pairs on Java and Linux
      Symmetric Encryption
      Asymmetric Encryption
      Vulnerabilities, Threats, and Web Security
      Attack Types and Mitigations
      Summary
      Chapter 11 Questions
      Answers to Chapter 11 Questions
   Chapter 12. Securing Software--In-House and Vendor
      Internal Development Versus Vendors
      Vendor or COTS Software
      Action Plan
      In-House Software Development
      Initial Considerations for In-House Software
      Code Security Check
      Fixing the Final Product—SAST Tools
      Fine-tuning the Product—Testing and Release
      Patches and Updates
      Product Retirement/Decommissioning
      Summary
      Chapter 12 Questions
      Answers to Chapter 12 Questions
Part IV: Security Administration
   Chapter 13. Security Administration
      Least Privilege, Need to Know, and Separation of Duties
      Who Is Who and Why
      Scope or User Privilege Creep
      Change Management
      Documenting the Process
      Legal Liabilities
      Software Analysis
      Network Analysis
      Hardware or a Device Analysis
      Be Proactive—Benefits and Measures
      Summary
      Chapter 13 Questions
      Answers to Chapter 13 Questions
   Chapter 14. Follow a Proven Path for Security
      Advantages of Security Administration
      Penetration Testing
      Penetration Test Reports
      Audits—Internal and External and STIG Checking
      OPSEC—The Operational Security
      Digital Forensics—Software Tools
      Lessons Learned/Continuous Improvement
      Summary
      Chapter 14 Questions
      Answers to Chapter 14 Questions
   Chapter 15. Mobile Devices and Application Security
      Authentication
      Cryptography
      Code Quality and Injection Attacks
      User Privacy on the Device
      Sandboxing
      Mobile Applications Security Testing
      NIST’s Directions for Mobile Device Security
      Summary
      Chapter 15 Questions
      Answers to Chapter 15 Questions
   Chapter 16. Corporate Security in Practice
      Case # 1: A Person Is Joining an Organization as a New Employee
      Case # 2: An Employee Is Fired or Is Voluntarily Leaving the Organization
      Case # 3: An Existing Employee Wants to Renew His Credentials
      Case # 4: An Existing Employee Privileges Are Increased/Decreased
      Case # 5: A Visitor/Vendor to the Organizational Facility
      Physical Security of DB and Applications
      Business Continuity and Disaster Recovery
      Attacks and Loss—Recognizing and Remediating
      Recovery and Salvage
      Getting Back to Work
      Lessons Learned from a Ransomware Attack—Example from a ISC2 Webinar
      Summary
      Chapter 16 Questions
      Answers to Chapter 16 Questions
Author Bio